iplocation

Description

Extracts location information from IP addresses by using 3rd-party databases. This command supports IPv4 and IPv6.

The IP address that you specify in the ip-address-fieldname argument, is looked up in the database. Fields from that database that contain location information are added to each event. The setting used for the allfields argument determines which fields are added to the events.

Because all the information might not be available for each IP address, an event can have empty field values.

For IP addresses which do not have a location, such as internal addresses, no fields are added.

Syntax

Required arguments

ip-address-fieldname

Syntax: <field>

Description: Specify an IP address field, such as clientip.

Optional arguments

allfields

Syntax: allfields=<bool>

Description: Specifies whether to add all of the fields from the database to the events. If set to true, adds the fields City, Continent, Country, lat (latitude), lon (longitude), MetroCode, Region, and Timezone.

Default: false. Only the City, Country, lat, lon, and Region fields are added to the events.

lang

Syntax: lang=<string>

Description: Render the resulting strings in different languages. For example, use "lang=es" for Spanish. The set of languages depends on the geoip database that is used. To specify more than one language, separate them with a comma. This also indicates the priority in descending order. Specify "lang=code" to return the fields as two letter ISO abbreviations.

prefix

Syntax: prefix=<string>

Description: Specify a string to prefix the field name. With this argument you can add a prefix to the added field names to avoid name collisions with existing fields. For example, if you specify prefix=iploc_ the field names that are added to the events become iploc_City, iploc_County, iploc_lat, and so forth.

Default: NULL/empty string

Usage

The Splunk software ships with a copy of the GeoLite2-City.mmdb database file. This file is located in the $SPLUNK_HOME/share/ directory.

Updating the MMDB file

You can replace the version of the .mmdb file that ships with the Splunk software with a copy of the paid version of the file or with a monthly update of the free version of the file.

Copy the GeoLite2-City.mmdb file to the $SPLUNK_HOME/share/ directory to overwrite the file there.

Impact of upgrading Splunk software

When you upgrade your Splunk platform, the GeoLite2-City.mmdb file in the share directory is replaced by the version of the file that ships with the Splunk software. One option is to store the MMDB file in a different path.

Storing the MMDB file in a different path

If you prefer to update the GeoLite2-City.mmdb file yourself, for example if you use a paid version of the file, you can store the MMDB file in a different path. The path that is used by the Splunk software to access the file must be updated.

Prerequisites

Only users with file system access, such as system administrators, can specify a different path to the MMDB file in the limits.conf file.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.

If you are using Splunk Cloud and want to edit the configuration file, file a Support ticket.

Steps

Open the local limits.conf file for the Search app. For example, $SPLUNK_HOME/etc/system/local.

Add the [iplocation] stanza.

Add the db_path setting and specify the absolute path to the GeoLite2-City.mmdb file. The db_path setting does not support standard Splunk environment variables such as $SPLUNK_HOME.
For example: db_path = /Applications/Splunk/mmdb/GeoLite2-City.mmdb specifies a new directory called mmdb.

Ensure a copy of the MMDB file is stored in the ../Applications/Splunk/mmdb/ directory.

Storing the MMDB file with a different name

Alternatively, you can add the updated MMDB to the share directory using a different name and then specify that name in the db_path setting. For example: db_path = /Applications/Splunk/share/GeoLite2-City_paid.mmdb.

The MMDB file and distributed deployments

The iplocation command is a distributable streaming command, which means that it can be processed on the indexers. The share directory is not part of the knowledge bundle. If you update the MMDB file in the share directory, the updated file is not automatically sent to the indexers in a distributed deployment. To add the MMDB file to the indexers, use the tools that you typically use to push files to the indexers.

Comments

Can we Change Maxmind MMDB data file Type?(or Custom mmdb file)
ex) GeoLite2-City.mmdb --> Geo2-ISP.mmdb
we need to get as number and isp org information using iplocation command.
we already used other app which is called Geo2IP and Seckit iplocation and we make the custom command but it is too slow

K3igun

September 13, 2017

Modified the search parameters, and now I can more easily visualize which type of rogue users are attempting to access the admin section of my blog<br /><br />sourcetype=iis login | top limit=20 c_ip | iplocation c_ip | table c_ip, City, Country, count

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.